Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Legislators Introduce Spy Block Act (21 March 2005)

The Spy Block Act, introduced last week by US Senators Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.), is based on the premise that people have the right to know and control what software is installed on their machines. "The bill bans the surreptitious installation of software" in cases when the user did not request installation and it also takes aim at software that prevents efforts to uninstall or disable it. Also banned under the bill are the collection and transmission of information about computer users without their consent. -http://www.internetnews.com/security/print.php/3491731[Editor's Note (Schultz): I would really like to see a bill of this nature signed into law soon. Spyware is not only becoming increasingly malicious, but it constitutes an intolerable invasion of privacy. (Ranum): This is just political posturing. So spyware authors will have to add a few extra lines to their "clickwrap" license so that users "agree to" having their personal information shared. It's going to work about as well as CAN-SPAM did for the same reasons. The politicians know it. ]

Service Providers for Fingerprint Alliance for Profiling Attacks (28 March 2005)

The Fingerprint Alliance, which counts among its members Cisco Systems Inc. and EarthLink Inc., has established "an automated process for sharing attack profiles across service-provider network." The software the service providers are using lets them establish baselines for their networks and alerts them when anomalies are detected. If an attack is identified, the fingerprint is shared automatically. -http://www.techweb.com/wire/security/159907277 More info at -http://www.arbor.net/fingerprint-sharing-alliance.php

Four government banking agencies, including the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve, have issued rules that require banks and other financial institutions to inform customers as soon as possible when their information has been stolen or its security has been breached and there is reason to believe it will be misused. Notice could be delayed if a law enforcement agency determines that it would interfere with a criminal investigation. Financial institutions are also required to inform their primary federal regulators whether or not customers are being informed. -http://www.pcworld.com/news/article/0,aid,120168,00.asp-http://news.zdnet.com/2102-1009_22-5635399.html?tag=printthis-http://www.reuters.com/newsArticle.jhtml?storyID=7948563[Editor Note (Schultz): This is a major step forward in fighting identity theft, but the emphasis needs to shift from requiring notification to requiring responsibility in protecting personal and financial information in the first place. ]**************************** SPONSORED LINKS **************************** Privacy notice: These links redirect to non-SANS web pages.

In a report entitled Cyber Security: A Crisis of Prioritization, the Presidential IT Advisory Committee (PITAC) has recommended significant increases in cyber security R&D spending as well as a shift in focus from short term to long term security solutions. Among PITACs recommendations: increase funding for the National Science Foundations Cyber Trust program by at least $90 million annually; the current budget is just $30 million. The report also recommends increasing funding for DHS (Department of Homeland Security) and DARPA (Defense Advanced Research Projects Agency) cyber security research budgets. The report also identifies key areas for future research, including authentication methodologies, end-to-end system security and secure networking protocols. -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story. id=35311 -http://www.fcw.com/article88363-03-21-05-Web-http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf[Editors Note (Northcutt): I was deeply troubled by a quote from page 42: "U.S. academic institutions employ fewer than 250 active cyber security or cyber assurance specialists, many of whom lack either formal training or extensive professional experience in the field." ]

Korean Bank Under Investigation for Allegedly Using Pirated Microsoft Software (23 March 2005)

Police in Seoul, Korea are investigating a complaint lodged by Microsoft Korea against a local bank for using pirated software; 61% of the bank's 11,400 computers are allegedly running pirated software. Microsoft is also charging that the bank has not renewed its contract for the 4,500 computers for which the software was initially purchased. The bank maintains that under the terms of its contract with Microsoft, it can make as many copies of the software as it pleases. -http://english.chosun.com/w21data/html/news/200503/200503230040.html

Apple in Cat and Mouse Game Around iTunes Copy Protection (23/22/21 March 2005)

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Unbounded Buffer Vulnerability in Trillian 3.1 (28 March 2005)

An unbounded buffer vulnerability in Trillian 3.1, an IM client from Cerulean Studios, could allow attackers to shut down programs on vulnerable computers or even take control of machines' operating systems. There have been no reports of exploits for the flaw. Cerulean co-founder and CEO Scott Werndorfer said the vulnerability is "extremely low risk" and that it would be fixed in the next Trillian release. -http://asia.cnet.com/news/security/printfriendly.htm?AT=39223424-39037064t-39000005c

Sybase Inc. has sent a letter to Next Generation Security Software, LTD., informing them that they will take legal action if NGS releases information about eight buffer overflow and denial-of-service vulnerabilities it claims to have discovered in Sybase's Adaptive Server Enterprise software v.12.5.3. NGS had initially informed only Sybase of the vulnerabilities; Sybase in turn released a patched version of the affected software in February, 2005. NGS had planned to release the information about the flaws on March 28, 2005, but has decided against doing so. -http://www.computerworld.com/printthis/2005/0,4814,100637,00.html-http://www.eweek.com/print_article2/0,2533,a=148276,00.asp[Editors Note (Pescatore): There have been a number of formal proposal for "responsible vulnerability reporting" but the basics are pretty well understood. Notify the vendor of the product, allow 30 days to respond. If they say additional time is required to product/test a patch (which in today's software world is pretty much the norm), wait. Never give out exploit code. This doesn't mean go back to the days where vendors never admitted security bugs and only patched as part of normal product upgrades - that was a different, but equally dangerous, form of irresponsibility. (Ranum): Having been on the sharp end of extortionate demands from "grey hat security researchers" I can only applaud Sybase's choice to hold vulnerability researchers responsible for the consequences of their actions. ]

STANDARDS AND BEST PRACTICES

Ten Worst Security Practices (24 March 2005)

A list of the ten worst security practices includes buying products to fix security holes as they arise, neglecting to create a security policy, treating all data as equal and backing up all data every night. The list includes tips on what to do instead. -http://www.nwc.securitypipeline.com/159900223[Editors Note (Schultz): A ten worst security practices list is an extremely innovative idea, but I seriously wonder if the individuals who need to see this list the most will ever be motivated to look at it. As they say, ignorance is bliss. ]

MISCELLANEOUS

Cases involving data stored on computers depend on investigators being able to decrypt encrypted data. The US Secret Service has linked 4,000 of its employees' computers into the Distributed Networking Attack program which works to crack criminal's encryption key passwords. DNA uses plaintext data from the computers to help create word lists for cracking passwords; frequently visited web sites can offer clues to criminals' interests and help generate the list. The process grows more complicated when the criminals communicate in a melange of languages and combinations of Roman and non-Roman alphabets. (Note: This site requires free registration) -http://www.washingtonpost.com/ac2/wp-dyn/A6098-2005Mar28?language=printer[Editors Note (Pescatore): Back in the Prohibition (making alcohol illegal) days in the US, moonshiners would soup up their car engines to outrun law enforcement. Of course, this lead law enforcement to buy their own souped up patrol cars. Always good to see the good guys learn from the bad guys - distributed key cracking for fun, profit and investigation. (Shpantzer): The Scarfo case is an interesting study in bypassing strong encryption in the days when computing power wasn't what it is today. Way back in 1999, the FBI got a 'snoop and poop' warrant to surreptitiously install a keystroke logger on the suspected mafioso's computer, looking for the passphrase to his encrypted folders. For more information, including the original search warrants, see -http://www.epic.org/crypto/scarfo.html for general case info. Scroll down and look for the applications for surreptitious entry and delay of notification.]

The National Institute of Standards and Technology (NIST) has released Special Publication 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule. It includes recommendations for types of systems needed to meet HIPAA mandates, which go into effect on April 20, 2005, and describes the similarities between the HIPAA security and the Federal Information Security Management Act. -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35364

State and federal law enforcement officials speaking on an information security panel urged companies to report network security breaches. While companies are often reluctant to reveal such information for fear it will tarnish their reputation, law enforcement officials said every bit of information helps and what is withheld could be an important missing piece in another investigation. -http://www.computerworld.com/printthis/2005/0,4814,100598,00.html

Scott Granneman's column addresses the ever-expanding capabilities of mobile phones and how the added convenience of new features and the capability to store more information creates additional security concerns and attack vectors. People are not always making good security choices when it comes to the new technology; after the much-publicized cracking of Paris Hilton's Sidekick II, sales of the phone reportedly soared. -http://www.securityfocus.com/printable/columnists/310

March alone has seen at least 10 incidents in which people's personal data were compromised or stolen. However, none of the attacks listed involved online transactions. Merchants are allowed to sell customers' personal information to whomever they choose and to put it in a database with unknown security precautions. US legislation has focused largely on increasing penalties for identity theft rather than addressing the way in which merchants and data brokers use people's information. Identity theft and credit card fraud will remain impossible to prevent until this problem is addressed. -http://www.theregister.co.uk/2005/03/23/id_theft_cannot_be_escaped/print.html

Security Managers Take Proactive Measures (21 March 2005)

Security managers are increasingly taking a proactive stance toward network security. This shift is driven by several factors, including Sarbanes-Oxley compliance requirements, increasing use of wireless technology, remote workers and web services and the ever-shrinking lag time between the disclosure of a vulnerability and the appearance of malware to exploit it. General Motors Corp. denies network access to anyone the company has not vetted. Texas Tech University deployed network behavior modeling tools to establish baseline network behavior and quickly detect and identify anomalies. Companies are also looking to build security into application software and to encourage the software industry to incorporate security into the development process. -http://www.computerworld.com/printthis/2005/0,4814,100450,00.html===end===

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/